From: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
This patch fixes a bug in tcm_qla2xxx_free_cmd() where cmd->cmd_free = 1
was not being set for an transport_lookup_cmd_lun() failure. This was
causing tcm_qla2xxx_release_cmd() to not drop the cmd descriptor from
qla_tgt_sess->sess_cmd_list, and causing an memory access after release
while walking the active descriptor list during qla_tgt_wait_for_cmds()
shutdown logic.
Reported-by: Roland Dreier <roland@xxxxxxxxxxxxxxx>
Cc: Roland Dreier <roland@xxxxxxxxxxxxxxx>
Cc: Madhuranath Iyengar <mni@xxxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Nicholas Bellinger <nab@xxxxxxxxxxxxxxxxxxxxx>
---
drivers/target/tcm_qla2xxx/tcm_qla2xxx_fabric.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/drivers/target/tcm_qla2xxx/tcm_qla2xxx_fabric.c b/drivers/target/tcm_qla2xxx/tcm_qla2xxx_fabric.c
index b6b594a..37f0b03 100644
--- a/drivers/target/tcm_qla2xxx/tcm_qla2xxx_fabric.c
+++ b/drivers/target/tcm_qla2xxx/tcm_qla2xxx_fabric.c
@@ -397,6 +397,8 @@ void tcm_qla2xxx_free_cmd(struct qla_tgt_cmd *cmd)
*/
if (!cmd->se_cmd.se_dev) {
atomic_set(&cmd->cmd_stop_free, 1);
+ atomic_set(&cmd->cmd_free, 1);
+ smp_mb__after_atomic_dec();
transport_generic_free_cmd(&cmd->se_cmd, 0, 0);
return;
}
--
1.7.2.5
--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
